Harlan,
Since this is a fairly common need I'm sure there are a few out there, but I haven't seen them directly. Here's a script used to carve IP Addresses from unallocated space that you should be able to hack up to do what you want:
----begin script------
#############################################################################
# Script Name: CarvIPAddresses.pl
# Discription: Script to search for, select and extract all jpg files
#
#
# Initially, this script will proceed with a content search. Once it is done,
# The Script will fetch all free clusters from the partition and start searching.
# The function, ReadConsSectors reads consecutive clusters from the file system
# those are free. If the header is found, then we will try to read the footer from
# that, assuming that, the file was consecutive.
# The script can be executed on any physical/logical drive/image or memory images.
#
# ProScript Version: 1.1
# Perl Version: 5.8.6
#
# Author: Development Team
# Histroy: 8/4/5 Original Script using ProScript 1.1 data carving api's
# Known issues: Will not work on compressed images, will not work on multi image projects
#############################################################################
use ProScript;
# Users should ensure they set search term file location and target directory for exporting files
$TargetDir = "C:\\ProDiscover\\ProScript\\Output";
# Users should uncomment the header, footer, and extension for the desired artifact search.
# Note only one header, footer, and extension group shoud be uncommented.
sub FindIPAddress()
{
my ($Name) = @_;
$Header = "([\\d]+)\\.([\\d]+)\\.([\\d]+)\\.([\\d]+)";
$Footer = "";
$Extn = "txt";
my $Handle = PSSearchAndRecoverFile($Name, $Header, $Footer, $TargetDir, $Extn);
if ($Handle == 0)
{
PSDisplayText("Error starting data carving.");
return;
}
PSSetDCBlockSize($Handle, 20);
PSDisplayText("Starting data carving on $Name");
$ObjName = $Name;
my $NumEntries = 0;
PSDisplayText("Searching in $ObjName");
PSOpenObject($ObjName);
PSSetProgressRange(0, 100);
PSStartProcess();
while (1)
{
#PSDisplayText("In the first While");
last if (PSGetProcessing() == FALSE);
my $SearchData = "";
$SearchData = &ProScript::PSReadConsClusters($Handle);
my $IsEndOfDisk = PSDCIsEndOfDisk($Handle);
last if ($IsEndOfDisk == 1);
while (1)
{
#PSDisplayText("In the second While");
last if (PSGetProcessing() == FALSE);
if ($SearchData =~ m/(.*?)($Header)(.*)/s)
{
#Search string found. Construct the IP address
my $IPAddr = "$3.$4.$5.$6";
#Validate the IP address
$ValidIP = 1;
foreach $s (($1, $2, $3, $4))
{
if ($s < 0 || $s > 255)
{
$ValidIP = 0;
last;
}
}
if ($ValidIP)
{
$NumEntries++;
my $FName = PSGetNextFileName($Handle);
open(OUT,">>$FName");
binmode(OUT);
$IPAddr = $IPAddr . "\r\n";
print(OUT $IPAddr);
close(OUT);
}
$SearchData = $7;
next;
}
else
{
last;
}
}
my $Progress = PSDCGetPercentage($Handle);
PSSetProgress($Progress);
}
PSSetStatusText("");
PSCloseObject($ObjName);
PSSetProgress(0);
PSEndProcess();
PSDisplayText("$NumEntries IP Address(es) found during the operation.");
PSCloseHandle($Handle);
}
# Get all objects added to the current project
$totalObjects = PSGetObjectsCount();
# for each object added to the project search it
for($i=0; $i < $totalObjects; $i++)
{
$objectName = PSGetObjectName($i);
&FindIPAddress($objectName);
}
PSDisplayText("Done!");
-------------end script------------------